Creating AssumeRole on AWS Console for AWS Management/Member Discovery Table of Contents OverviewProcedure on Management AccountThe Management Account Manually add the Policies to the Account Verify if the Accounts are Management or Member Account Create User and Associate Policy on Management Account Set Permissions to the user Set the ARN at the Resources (Visual Editor)Set the ARN at the Resources (JSON)Add Policy to the UserVerify the Summary of the User Procedure on Member AccountCreate a RoleAdd Trusted Relationship Additional Information Overview AWS Organization Discovery needs to have the AWS Management Account to be associated with AssumeRole and Readonly Access, this article intended to explain the creating and associating the STS: Assume Role to the Management Account and creating Trusted Relationship with Member Account Procedure on Management Account Log in to the AWS console using the Root CredentialsVerify the AWS OrganizationsThe AWS Organization should be having a minimum of 1 Management Account and 1 Member Account The Management Account The Management account must be having the below policies attached for the "Amazon AWS Organization" to identify. DescribeOrganizationDescribeAccountDescribeListAccounts If the above policy actions are not available on the AWS Account, the account is treated as regular account but not as the Management Account Manually add the Policies to the Account Log in to the Account which would you like to make as management AWS Services >> IAM >> Policies >> Create Policy Services: Choose "Organization" and "Accounts"Resources: Account, Handshake, OrganizationalUnit, Policy and mark them for Any Review PolicyProvide a Policy name and Create the PolicyAttach the policy to the Account Verify if the Accounts are Management or Member Account AWS Services >> IAM >> Organization Activity The Root will be having a list of the Accounts and some are marked as Management Create User and Associate Policy on Management Account AWS Services >> IAM >> Users >> Create User (We can also use the Existing users)While creating the user the Access Type check for "Programmatic Access" Set Permissions to the user Choose "Attach Existing Policies"Create Policy >> Choose the Below Service: STS Under STS >> Write >> Select the Assume Role Set the ARN at the Resources (Visual Editor) Select Resource: Specific (Not All)Click on "Add ARN"The Page will open to add the ARN for Account: >>>> Provide the "Member Account ID"Role name with path: >>>> Provide the "OrganizationAccountAccessRole" Set the ARN at the Resources (JSON) { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::<Member Account ID>:role/OrganizationAccountAccessRole" } ] } Add Policy to the User Add "ReadOnly" and the Newly created Policy to the UserAdministrator Access not needed Verify the Summary of the User Copy the User ARN which needed to be updated in Procedure on Member Account Create a Role AWS Services >> IAM >Roles Create a New Role >> Choose "Another AWS Account" and Provide the Management Account IDClick Next Add Existing Policy to the Role that is "ReadOnly Access"Click Next Tags are not Mandatory Give the Role name as "OrganizationAccountAccessRole"Submit to create the Role Add Trusted Relationship AWS Services >> IAM >Roles Click on Newly created "OrganizationAccountAccessRole" The Permission tab will show "ReadOnly Access" Click on "Trusted RelationShip" >> Edit Trust Relationship >> Give the Management ARN The Management ARN can is available at the User Summary page on the Management Account Console, refer the above "Verify the Summary of the User" Section { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<Management Account ID>:user/User" }, "Action": "sts:AssumeRole", "Condition": {} } ] } Additional Information Assume an AWS role for temporary Cloud Discovery credentialsAssuming member roles with an AWS APIAWS Organizations and Temporary CredentialsDiscovery - Assume Role enhancements for AWS Organizations